• No se han encontrado resultados

Capítulo III: Curtiembre Mypes en el Perú

3.1. Proceso Productivo del cuero

perspective, figure out what controls you need to address first, and address the ones that have the greatest effect on your crit-ical business processes, it’s not as complicated as it may seem.

After you have the critical controls in place, think about how to prove that the controls are actually doing what they are supposed to be doing. You will have the answers to the com-pliance questions that come up during audits, and you will put your POS systems in a better state of security.

PCI’s Shift toward Application Control

One of the biggest changes in the PCI DSS 3.0 standard is the move toward being more proactive when it comes to measur-ing your security controls. For POS systems, this involves ensuring that the information used to measure both the com-pliance and security status is as close to real time as possible while focusing the analysis on a smaller subset of data.

The first validation shift that can help to enable compliance and improve security posture is a move from negative to posi-tive security. With this model, rather than blocking the attacks that are known to be bad, you allow the transactions that are known to be good. This shift provides continuous compliance and full protection while enabling real-time visibility of your in-scope PCI assets. You’ll get a better hold on measuring risk, verifying controls, and continuously monitoring security.

The addition of approval trust-based security positioning will enable merchants with POS systems to reduce the administra-tive costs of normal pre- and post- compliance analysis, free up endpoint system processing power, and protect systems after critical patch support has ended.

Moving POS endpoints into a positive security posture helps to lower administrative effort, reduces scope, and enhances performance. It allows focus on the “known good” rather than a list of things that are bad, and eliminates the need to constantly scan the POS endpoint to detect malware. Positive security easily exposes and enforces the adherence to com-pliance while protecting POS systems by placing them in a default-deny state, where anything that’s not part of the trust-policy cannot execute.

Merging Compliance Policy with Security Controls

The convergence of security controls with compliance policies has been gradual. It hasn’t always been a natural synergy for security and compliance to work together in this way. When it comes to measuring the true security posture of POS systems, there are many benefits to using PCI DSS as a guide to imple-menting such controls. The ideal outcome is a convergence of compliance and security providing active intelligence — providing answers on the enforcement of the audit controls and also on the current security posture and risk.

Many PCI controls can be used to help synchronize the com-pliance evidence with the security metrics. For POS systems, a positive solution must

✓ Require very few system resources

✓ Proactively drive a security policy to the endpoints by allowing only trusted applications to run

✓ Detect, identify, rank, eliminate, and block malicious software

In addition, a positive security solution can

✓ Provide visibility into what’s happening on all IT assets

✓ Categorize the risks, without relying on signatures

✓ Verify and scrutinize the security controls

✓ Perform continuous monitoring of these controls

✓ Provide reports that enable IT to take proactive, correc-tive actions and/or prove compliance

Ensuring Ongoing PCI Compliance

By placing POS systems into a positive security posture, mea-sured against a trust-policy (only the software you trust can run on your enterprise systems) you will be able to continu-ously monitor and record all activity on your POS systems and other corporate endpoints for real-time detection and

Chapter 5: Solving the PCI Challenge for Point of Sale 33

denial of unauthorized software. You will be able to monitor the state of compliance at any given point within the assess-ment process to ensure that compliance really does equal the true state of security.

There are other benefits to a trust-based application control environment that can bring you closer to continuous PCI com-pliance. You will be able to

✓ Build intelligence around all of your file assets, including their prevalence, trust rating, and inherited vulnerabilities

✓ Report on any asset for an audit, a pre-compliance assessment, or security intelligence gathering

✓ Meet file integrity monitoring, control, and audit trail rules with continuous, real-time file monitoring

✓ Protect your critical configuration files from unauthor-ized changes

✓ Enforce your trust policies whether your systems are online or offline

✓ Focus only on those events that are relevant to your busi-ness and lower the cost of obtaining compliance data against a smaller dataset

PCI DSS 3 .0’s effect on POS security

PCI DSS 3.0 has had a substantial effect on the security of POS sys-tems. Under this latest version of the PCI standard, POS systems are scru-tinized much more than in the past.

When assessing POS systems for security and compliance, keep these three main theme changes in mind:

✓ You must be able to identify, detect, and alert on any change to critical data.

✓ You must ensure protection and PCI compliance at all integration points with the POS systems.

✓ You must protect POS systems from threats, including those systems that haven’t traditionally been affected by malware.

PCI DSS is very clear in what’s required of organizations when securing the POS environment.

Every situation is unique. However, POS systems that store or process cardholder data likely fall within the scope of compliance requirements.

Mirroring the PCI Prioritized Approach

The PCI DSS Prioritized Approach is a culmination of all the individual PCI requirements divided into six key milestones for businesses to consider. It provides guidance on how to focus on PCI DSS implementation and helps to reduce risk to the cardholder data environment as early on as possible within the compliance process.

Multiple benefits exist with mirroring the PCI Prioritized Approach when addressing security controls on POS. Table 5-1 shows four of the concentration areas you can benefit from.

Table 5-1 Benefits of the PCI DSS

Prioritized Approach

PCI DSS Priority Area The Positive Security Fit Protect systems and networks Protection: Anti-malware and

stopping advanced persistent threats (prevention)

Secure payment card

applications Risk measure: Measure PCI and security risk and assess vulner-abilities (detection, visibility, prevention)

Monitor and control access Monitoring critical systems (visibility, response) Ensure all compliance controls

are in place Enforcement: Prove security policies and device control (visibility)

Chapter 6

Deploying Proactive Point-of-Sale Security

In This Chapter

Defining your unique requirements

Understanding the Security Maturity Model

Managing your smart policies

Working with other security products

N

ow’s the time for the rubber to meet the road. You have some decisions to make, systems to set up, and processes to manage so you can stay ahead of the advanced malware curve on your point-of-sale (POS) systems.

In this chapter, we discuss defining your unique requirements, assessing how the Security Maturity Model fits in, managing your ongoing smart policies, and ensuring your POS security controls work well with other security products on your network.

Defining Your Requirements

Not only does every organization have unique security require-ments, but so does every POS environment. As you move toward selecting a POS threat detection, response, and preven-tion product, you should identify the requirements that are most important to your business and meet your specific needs.

If you choose to conduct a request for proposal (RFP), you need to define these requirements well to solicit useful pro-posals from prospective vendors. Even if you don’t go the

RFP route, it’s helpful to know what you’re seeking before you begin evaluating products. Otherwise, you may find yourself in a “you don’t know what you don’t know” situation that you don’t want to be in. As you set out on the path to selecting a POS security product, consider these key requirements:

✓ Visibility: Choose a product that allows you to record your environment continuously in real time. This real-time visibility fuels detection, response, and prevention.

The more items of relevance — memory operations, parent processes, registry access — the better.

✓ Detonation capabilities: Choose a product that doesn’t lock you in to a single vendor. If you want to integrate with an existing detonation (the ability to execute sus-pect malware in an isolated virtual machine) or next-generation firewall product, make sure that the threat protection vendor has experience with that integration.

Look for products that both take in information from det-onators and can also push data out to those detdet-onators.

✓ Enforcement capabilities: Your POS protection solution should provide you with a wide range of possible responses to a threat, including banning files by name or hash value and/or extracting suspect files from the system.

✓ Lightweight agent: Users don’t want a heavy agent installed on their POS systems. Your goal should be to find a product with a lightweight agent that helps you identify security threats and respond to them appropri-ately. Defense without business/productivity disruption is a fundamental goal.

✓ Phased approach to default deny: Flexible threat detec-tion, response, and prevention solutions allow you to work your way toward a default deny approach (blocking everything from the get-go) in a manner consistent with the culture and operating environment of your organiza-tion by allowing

• Your other chosen strategies to naturally impart trust

• You to see how far that gets you in terms of measur-ing risk and assessmeasur-ing operational impact

• You to target low-hanging fruit that gets you one step closer

Documento similar